Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Discovers ATM Hack, Gets Silenced

kdawson posted more than 5 years ago | from the wait-wait-not-yet dept.

Security 229

Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."

cancel ×

229 comments

Sorry! There are no comments related to the filter you selected.

If it's an exploit for ATM *Machines*... (5, Funny)

jeffb (2.718) (1189693) | more than 5 years ago | (#28650055)

...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

Re:If it's an exploit for ATM *Machines*... (1)

NastyNate (398542) | more than 5 years ago | (#28650377)

Not emulation. Just a machine for making ATMs. Kind of like MasterMold (from X-Men) for ATMs.

Re:If it's an exploit for ATM *Machines*... (1)

MickyTheIdiot (1032226) | more than 5 years ago | (#28650691)

So clearly there someone should invent the "automated teller machine machine machine," the machine that automatically builds the machine that automatically builds the ATM.

The inventor would make a bundle.. at least until some invented the "automated teller machine machine machine machine."!

Re:If it's an exploit for ATM *Machines*... (1)

maxume (22995) | more than 5 years ago | (#28650985)

And then some bastard invents the Generalized machine maker machine.

Re:If it's an exploit for ATM *Machines*... (2, Interesting)

idontgno (624372) | more than 5 years ago | (#28651037)

Done. [azonano.com]

Re:If it's an exploit for ATM *Machines*... (5, Funny)

N Monkey (313423) | more than 5 years ago | (#28650577)

...it must be pretty abstract, since an "automated teller machine machine" is apparently running in emulation anyhow.

No. It has to be an "ATM Machine" to in order to be able to enter a "PIN number".

Re:If it's an exploit for ATM *Machines*... (1)

schon (31600) | more than 5 years ago | (#28650855)

It has to be an "ATM Machine" to in order to be able to enter a "PIN number".

I wonder - how much RAM memory those is in those ATM machines to be able to hold all those PIN numbers?

And what kind of NIC card do they have?

Anyone want a peanut? :)

Re:If it's an exploit for ATM *Machines*... (1)

seven of five (578993) | more than 5 years ago | (#28651105)

Do they run on AC current?

Re:If it's an exploit for ATM *Machines*... (1)

MattXBlack (1534971) | more than 5 years ago | (#28650915)

You mean a personal PIN number?

Re:If it's an exploit for ATM *Machines*... (2, Informative)

RichardJenkins (1362463) | more than 5 years ago | (#28651041)

'ATM' has been a pseudo-acronym [wikipedia.org] since people stopped using the phrase 'automated teller machine' except to pretend that saying 'ATM machine' is silly. Bah!

Re:If it's an exploit for ATM *Machines*... (0)

Anonymous Coward | more than 5 years ago | (#28651111)

I would agree with you if I hadn't just got back from Germany. When I found people who spoke english and asked where I could find an ATM, they had no idea what I was talking about. When I said automated teller machine, they knew right away.

Re:If it's an exploit for ATM *Machines*... (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28651299)

The ATM hack [trollaxor.com] in question.

Ridiculous (5, Insightful)

Anonymous Coward | more than 5 years ago | (#28650065)

So they've had 8 months warning, and now suddenly when researchers want to publish they now want time to fix it? Not indicative of a company that gives a flying fuck about security. They don't deserve time.

Re:Ridiculous (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28650249)

No, they don't... but it depends on the hack.

If it gives out free money, only harming the company which didn't seem to care, then no, don't give them any more time.

If the hack gives them access to innocent people's account details, and they'd be out money, and/or time fighting the bogus withdrawals, then yes, give them time to fix it.

Re:Ridiculous (5, Insightful)

Svartalf (2997) | more than 5 years ago | (#28650467)

Actually, they HAD time to fix it. It still is highly problematic- but the big problem with all this thinking that bars people from disclosing this stuff at the stage it's at right now is the highly flawed thinking that disclosing a vulnerability discloses it to potential attackers which will use it.

It's a bad thing to think the bad guys don't already know what you're showing off and presume that they're not doing it. Depending on the hack, they may be prepping for it or already screwing you over with it and you just don't know it yet. If a white/grey hat found it, I can assure you a black hat either has already found it or will shortly.

Re:Ridiculous (4, Insightful)

spun (1352) | more than 5 years ago | (#28650697)

You've made the classic mistake of assuming corporations have any motivation to do the right thing, as opposed to the profitable thing. They don't give a rat's ass who is using this hack. All they care about is the price of their shares. If keeping a dangerous vulnerability semi-secret for a few more months will help their share price, they don't really care how many people get screwed over. Think of it this way: if their ATMs were electrocuting people at random, they would do a cost benefit analysis to figure out the likely damages awarded at trials, and compare that to the cost of fixing the problem. If fixing the problem were more expensive, the company would happily go on killing people. You think they care about your freaking finances?

Re:Ridiculous (1)

digitalunity (19107) | more than 5 years ago | (#28651005)

Maybe in some regards, but the electrocuting ATM isn't a great example.

There exist numerous product safety laws that could affect the criminal culpability of decision makers in a company who refuse to address serious known safety concerns in their products.

Re:Ridiculous (2, Informative)

idontgno (624372) | more than 5 years ago | (#28651247)

Maybe in some regards, but the electrocuting ATM isn't a great example.

Oh, I dunno, it's not like there hasn't been precedent for companies systematically ignoring lethal electrocution hazards in their work. [go.com]

There exist numerous product safety laws that could affect the criminal culpability of decision makers in a company who refuse to address serious known safety concerns in their products.

As of 2008, with the passing of the Consumer Product Safety Improvement Act of 2008 [cpsc.gov] , the criminal penalty for "knowing, willful violation" is 5 years instead of only 1 year per the original 1972 Comsumer Product Safety Act. So yeah, the risk of imprisonment is something company officers have to consider, outside of a simple cost/benefit analysis. But realistically, if you play the game right, you may be able to stonewall and obfuscate well enough to make "willful, knowing" violation unprovable, taking that risk off the table. After that, consumer protection penalties are just another number in the "cost" side of the equation, with a "probability of occurrence" value that gets artificially deflated (because that stuff never happens to us).

Re:Ridiculous (1)

maxume (22995) | more than 5 years ago | (#28651017)

The meat entities within a corporation may care about the price of the shares of the corporation, the corporation itself only cares about profits.

Re:Ridiculous (1)

spun (1352) | more than 5 years ago | (#28651165)

Aside from its meat entities, a corporation has no cares, thoughts, or motivations. I could have been more clear, but by 'share price' I meant both the price of the shares, and the dividends provided to shareholders, which equate with profits. The corporation does not care about profits, it's shareholders care about profits, which they receive through dividends and increased share price. The corporation is simply a mechanism to allow the shareholders to profit without feeling personally responsible for the actions which generate the profit.

Re:Ridiculous (4, Insightful)

poetmatt (793785) | more than 5 years ago | (#28650493)

Companies only move upon losses and public fiascos. Politeness should be gone by 8 months. Honestly, "this can slash your profits to 0 or below" doesn't sound like a cause for concern?

I'm sure departments within the company can make that same argument for losses but those are harder to take care of than simple software fixes that people are nice enough to be willing to tell them what the issue is. I mean how much easier can you get than someone else doing the job for you, that you didn't do originally? etc etc.

Re:Ridiculous (2, Insightful)

siloko (1133863) | more than 5 years ago | (#28650611)

You got it. The OP was right they don't give a fuck about security, what they give a fuck about is profits and a hullabaloo about folk losing cash as a result of compromised machines WILL effect their bottom line so each and every comment makes a difference. However it doesn't change the system that rewards secrecy over competence.

Re:Ridiculous (1)

spydabyte (1032538) | more than 5 years ago | (#28650847)

If it gives access to innocent people's accounts, then it should be released sooner, destroying the companies reputation, forcing the company to fix the issue in customer reimbursements after losing half of their customer base, to send them under. Sadly, customers would be forced to leave the banks, not the diebold machines, which supply all banks in certain regions.

Re:Ridiculous (1)

mcgrew (92797) | more than 5 years ago | (#28650277)

We're talking Diebold here, why are you surprised?

Re:Ridiculous (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28650483)

Not sure where you see that. As far as I know Diebold, Wincor, and NCR only put out drivers for Win XP for their ATMs. This is a Win CE bug, it's probably a white-label machine.

Re:Ridiculous (0)

MickyTheIdiot (1032226) | more than 5 years ago | (#28650745)

No. But I'd be even LESS surprised if the vulnerability simply gave money to of George Bush's bank account.

Go ahead and mod me "troll," but the only reason Diebold didn't "deliver" the election to George Bush is because they weren't organized and/or smart enough to do it. They had every opportunity.

Re:Ridiculous (4, Insightful)

furby076 (1461805) | more than 5 years ago | (#28650373)

You're right they don't deserve it - but giving information to criminals to make it easier for them to steal - thus hurting society as a whole - is not the answer. Unfortunately the security of ATM's is greater then these researches desire to present their work.

Re:Ridiculous (3, Insightful)

jopsen (885607) | more than 5 years ago | (#28650495)

You're right they don't deserve it - but giving information to criminals to make it easier for them to steal - thus hurting society as a whole - is not the answer. Unfortunately the security of ATM's is greater then these researches desire to present their work.

Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.

Re:Ridiculous (1)

maxume (22995) | more than 5 years ago | (#28650699)

Does murdering someone hurt society, or just that person?

It's a glib analogy, but it is possible for the consequences of harm to spread further than the entity it is directed at.

Re:Ridiculous (3, Insightful)

furby076 (1461805) | more than 5 years ago | (#28650769)

Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.

1) Diebold customers/partners did not cause this issue
2) If you use an ATM you are a diebold customer
3) Diebold will pass the cost to companies which use ATMs and they will pass the cost to you
4) It does hurt society as a whole to enable criminals. Just because you are not directly effected does not make you immune to the effects.

Re:Ridiculous (5, Insightful)

Hizonner (38491) | more than 5 years ago | (#28651189)

  1. Diebold (or whoever; I don't know that it's Diebold) customers/partners are primarily banks, which are supposed to be in the business of worrying about securing money. It's negligent for a bank to buy a product without verifying its security. So, yes, they did in some sense cause the problem, or at least they bear a chunk of the blame for it.
  2. If I use an ATM, I am a customer of Diebold's (or whoever's) customer, the bank, not a customer of Diebold. And what I'm paying the bank to do is to secure my transactions. I will admit that I've obviously hired an incompetent bank and am perhaps at fault for doing so, but that doesn't excuse the bank's incompetence. And I think my fault is reduced by the unavailability of banks that actually do their jobs, whereas banks would have access to decent ATMs if it they bothered to demand them.
  3. Where do people get this nonsense? Diebold (or whoever) already charges as much for the ATMs as it can get away with. They don't set prices based on their costs; they set prices based on what customers willl pay, subject only to the proviso that if customers won't pay what it costs to make the product, they won't make the product at all. To a first approximation, in a properly functioning market with competition (and there is competition in ATMs), prices fall to approach marginal cost of production (for the most efficient producer). This doesn't increase marginal cost of production for anybody.
  4. Maybe, except that it's NON-disclosure that actually enables the criminals, and that goes beyond this particular bug and beyond the case of ATMs. Not only does non-disclosure enable ATM manufacturers and whoever else to continue to ignore the problem while the criminals continue to exploit it, but, by ecouraging other companies in similar situations to do the same, it guarantees further problems. To prevent companies in general from ignoring problems, there needs to be a credible threat of disclosure if there isn't prompt action on reported problems. 8 months is way, way more than enough time. In order to maintain the credibility of the threat of disclosure, there needs to actually BE disclosure once in a while, so that companies know they actually have to live up to their responsibilities.

Re:Ridiculous (1)

viruswatts (1039928) | more than 5 years ago | (#28651225)

The first time I saw a dollar and a half charge to get my own money, I never touched an ATM again.

Re:Ridiculous (1)

moortak (1273582) | more than 5 years ago | (#28651291)

The problem with that is that the hole is there. It may or may not be in the wild and the company has not taken action in 8 months. It may very well be that the only way to push the company to act is full public disclosure.

Re:Ridiculous (2, Insightful)

MightyYar (622222) | more than 5 years ago | (#28650827)

Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.

I'd have to know more details. The manufacturer is not the one who will feel the direct repercussions of this hack - the ATM owners will. It might have been more effective for the researcher to inform some of the larger customers rather than the company. I'd bet that a big bank leaning on Diebold would have been more effective than this researcher disclosing a secret exploit.

Re:Ridiculous (1)

thePowerOfGrayskull (905905) | more than 5 years ago | (#28651203)

And anyone who is unfortunate enough to have a bank with a diebold machine, depending on the nature of the exploit...

Re:Ridiculous (0)

Anonymous Coward | more than 5 years ago | (#28650551)

Unfortunately there is no way to know whether the "security of ATMs" is still intact. Individuals less scrupulous than the researcher may have already found this vulnerability and may be actively exploiting it.

Re:Ridiculous (4, Insightful)

arose (644256) | more than 5 years ago | (#28650635)

Current situation: society as a whole does not know the vulnerability or it's scope, criminals might or might not know the vulnerability and might or might not be actively exploiting it.

Full disclosure:anyone with enough brains and guts can exploit the vulnerability, society at large can take steps to minimize the risk since it is now known what exactly the risk is.

Re:Ridiculous (1)

furby076 (1461805) | more than 5 years ago | (#28650815)

Current situation: society as a whole does not know the vulnerability or it's scope, criminals might or might not know the vulnerability and might or might not be actively exploiting it. Full disclosure:anyone with enough brains and guts can exploit the vulnerability, society at large can take steps to minimize the risk since it is now known what exactly the risk is.

Society as a whole does not know of the vulnerability. You are correct. Full disclosure of the vulnerability will allow those who have the desire/means to exploit it. No it won't be as easy as walking into a 7-11 with a shotgun, but there are plenty of computer geeks who would exploit such a loophole to make some cash.

Since we can't setup a security guard/cop by every ATm unit 24/7 until a patch is released criminals will be able to rob the machine...as simple as going to the unit at 4 Am with a ski mask and doing what needs to be done (assuming its not somethign that can be done remotely)

Re:Ridiculous (0)

Anonymous Coward | more than 5 years ago | (#28651141)

More like

Current situation: "Society" as a whole does not know about the vulnerability, a small portion of the population knows that there is a vulnerability (slashdotters and the like), even less know what the vulnerability, and a few criminals actually are actively exploiting it ($9 mil from 130 machines according to the summary).

Full Disclosure: Anyone with guts can try and exploit the vulnerability, some will succeed, most won't, but the ATM manufacturers like Diebold will probably be just as incompetent as they have always been. News outlets might report on the vulnerability, maybe even causing a run on 1 or 2 smaller (like neighborhood local only small) banks if the hype hits the masses the similar to the way the whole H1N1 thing did.

Re:Ridiculous (3, Insightful)

nthitz (840462) | more than 5 years ago | (#28650383)

Agreed, 8 months is long enough. If they haven't fixed it by now, they certainly need some incentive to!

Juniper is unscrupulous. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28650389)

Read about the lawsuit [findarticles.com] that David Abramson filed against Juniper. You can get more information by searching (a. k. a. "Binging") on the Web.

Juniper had tried to block the suit by unfairly forcing Abramson into arbitration but reserved the right for itself to use a lawsuit against him. The Superior Court ruled against Juniper.

Re:Ridiculous (2, Insightful)

joelmax (1445613) | more than 5 years ago | (#28650471)

I agree the ATM manufacturer doesn't deserve time, but the consumer does. How would you like it if someone stole your account info on a hacked atm and pillaged your bank accounts and credit card info?? Not too good I'll bet. For the sake of protecting the consumer, this should be withheld.

Re:Ridiculous (4, Interesting)

compro01 (777531) | more than 5 years ago | (#28650705)

Being as the exploit is already in the fucking wild and being actively exploited, preventing the information from being presented is completely and totally pointless.

Re:Ridiculous (4, Interesting)

Talderas (1212466) | more than 5 years ago | (#28650797)

Not really. Despite the exploit being out there, there is likely only a few malicious people that know about it. If the hack requires physical access to the machine, this means the number of machines that are exploited is less. As other people have mentioned.... once the exploit is significantly more public, that will increase the number of malicious people that know about it and increases the number of exploited machines.

There's a lot of people who can apply exploits. There aren't as many that can discover them.

Re:Ridiculous (1)

neomunk (913773) | more than 5 years ago | (#28650793)

The argument being made isn't that people should get hacked, so this should be released. The argument being made is that by withholding this information corporate complacency will allow whoever is ALREADY using this exploit to continue to do so (as it has for the past 8 months). Your argument falls down from the point of view that releasing the information will force the company to promptly issue a fix for the vulnerability. In fact, your point of view is only valid if the company cannot or will not patch the exploit. Security through obscurity is a joke, plain and simple, trying to strengthen security via ARTIFICIAL obscurity is just plain desperate. If you really care about your accounts, push for fixes not whitewashes.

So, I say, for the sake of protecting the customer, this should be released.

Re:Ridiculous (0)

Anonymous Coward | more than 5 years ago | (#28651083)

You're working under the assumption that this hack is not already out in the wild.

In fact, to protect the customer, it should be released to the general public: if everyone knows about the dangers of using an ATM, then they won't use one. Hence, their account info will be safer because it won't be taken by a rogue system. Plus, it gives the company much greater incentive to fix the problem and restore trust.

8 Months Is Not Enough Time (1)

brunes69 (86786) | more than 5 years ago | (#28651007)

Do you have any idea what the QA procedure would be for a release of baking software?

The QA cycle on it alone would be 6-12 months. Then you would need 6-12 months to roll it out to all the ATMs globally.

Re:8 Months Is Not Enough Time (1)

ColdWetDog (752185) | more than 5 years ago | (#28651145)

Baking software? Really? For cookies? Or pizza?

Man, I didn't think that setting a temperature and a time was that hard.

Re:8 Months Is Not Enough Time (1)

zippyspringboard (1483595) | more than 5 years ago | (#28651205)

Well yes, but when you are dealing with baking software peoples very health and welfare are at stake. Great scott man, raw eggs can kill! Banking software is not nearly as stringent.

Oh I dunno (1)

AnalPerfume (1356177) | more than 5 years ago | (#28651211)

I reckon time is exactly what they deserve, I'm sure we could make room next door to Mahdof. Perhaps they will discover the alternate meaning of ATM first hand while there, as taught by the ever present Big Bubba and colleagues.

Oh, wait....you meant time to fix the problem. My bad ;)

Re:Ridiculous (2, Interesting)

Brian Edwards (1429281) | more than 5 years ago | (#28651305)

The vendor in question is likely Microsoft:

"The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago."

My guess is that Microsoft is not excited about fixing bugs in CE, and would rather just extend their "security through obscurity" strategy to include censoring researchers.

What I don't get (0, Offtopic)

For a Free Internet (1594621) | more than 5 years ago | (#28650113)

Is why everyone cares so much about Money. It's just pieces of paper and little bits of metal. What really matters is Love! If people stopped worrying about money then maybe there wouldn't be so much poverty and swine flues. Also, I read that Linuxes are free, so, again, we don't need money anymore, since our computers are free! Look at the big picture, people.

Re:What I don't get (5, Funny)

4D6963 (933028) | more than 5 years ago | (#28650169)

Is why everyone cares so much about Money. It's just pieces of paper and little bits of metal. What really matters is Love!

Well, with money anyone can get some temporary love! And permanent herpes.

Re:What I don't get (3, Insightful)

sopssa (1498795) | more than 5 years ago | (#28650289)

And some more long-term loving aswell. That is, until she has spend all your money.

Re:What I don't get (0)

Anonymous Coward | more than 5 years ago | (#28650195)

We're slashdotters, who would love us...? :'(

They say you can't buy love, but it can be hired.

Re:What I don't get (0)

Anonymous Coward | more than 5 years ago | (#28650731)

If people stopped worrying about money then maybe there wouldn't be so much poverty and swine flues.

I don't worry about money cause I just steal yours, you dumb moonbat

WinCE when you say that (3, Insightful)

mspohr (589790) | more than 5 years ago | (#28650115)

I can't believe that people use WinCE for a real world application that requires security and reliability. The morons who built these systems are reaping the reward for their ignorance.

Re:WinCE when you say that (5, Informative)

aristotle-dude (626586) | more than 5 years ago | (#28650193)

I can't believe that people use WinCE for a real world application that requires security and reliability. The morons who built these systems are reaping the reward for their ignorance.

A lot of ATM's were previously running IBM OS/2 and were pretty stable. Not only are these ATMs now exploitable but they are also much slower than before they were "upgraded" to WinCE.

Upgrades are supposed to improve functionality or improve performance but the text UI actually got about 2X slower to respond.

They got the ability to talk though (5, Informative)

Sycraft-fu (314770) | more than 5 years ago | (#28650479)

They are now much easier for the disabled to use. While it was possible for someone who was blind to use an OS/2 ATM, it relied more or less on memorizing what to do. The buttons had braille on them but there wasn't really any feed back other than beeps. So it was a situation of memorize the key presses to do what you want. New ATMs have headphone jacks and can give audio feedback, allowing those with vision problems to use them much easier.

Re:They got the ability to talk though (1)

just_another_sean (919159) | more than 5 years ago | (#28650563)

Seems to me that that type of functionality could have been added to the OS/2 versions. Was it really necessary to completely replace the OS to get that type of functionality? I know that IBM gave up on supporting OS/2 but couldn't an experienced programmer do this without IBM's help?

Re:They got the ability to talk though (1)

FishWithAHammer (957772) | more than 5 years ago | (#28650777)

That's not what he means.

To get the headphone jack upgrades, they needed new ATMs. Retrofitting old ones would have been very costly in terms of manpower.

OS/2 does not run on those new ATMs.

Re:They got the ability to talk though (1)

Jaysyn (203771) | more than 5 years ago | (#28650573)

Headphone jacks are hardware, not software. You don't really think that OS/2 is incapable of sound, do you?

Re:They got the ability to talk though (1)

Nimey (114278) | more than 5 years ago | (#28650617)

New post-OS/2 ATMs have the headphone jacks. To put OS/2 on new hardware would be non-trivial.

Re:They got the ability to talk though (1)

Sycraft-fu (314770) | more than 5 years ago | (#28650929)

OS/2 v 1.1? Ya, might well be. It was incapable of graphics, I don't know that it would be capable of sound either. This wasn't even a new OS/2 they were running, it was an extremely old version, even by OS/2 standards.

Improve functionality? (3, Interesting)

Peter Simpson (112887) | more than 5 years ago | (#28650529)

It's an ATM.

It reads a card, checks your balance and pokes money out a slot.

What increased functionality is there?

(well, yes, it takes in deposits, too, but...)

Really, why aren't these things running the most limited OS possible?
Running WinXP on them is just silly. I would have thought WinCE would
be more locked down, but apparently not.

The comment about OS/2 machines being more secure is interesting.
I'd rather have IBM running my cash machines than Microsoft.

Re:Improve functionality? (2, Funny)

Lumpy (12016) | more than 5 years ago | (#28650739)

New from microsoft.

Windows 7 ATM edition. now with richer multimedia and features! giveyour customers access to a media center while they wait for their money!

Dont laugh, Somewhere a manager in microsoft though of this and pitched it.

Re:Improve functionality? (1)

Amphetam1ne (1042020) | more than 5 years ago | (#28651131)

What increased functionality is there?

Bill payments & Pre-pay phone top-ups. Although in theory all they would need to be is additional UI options, because the actual processing would be taken care of at the server.

Re:WinCE when you say that (0, Troll)

Jamie's Nightmare (1410247) | more than 5 years ago | (#28650641)

And a lot of them aren't very stable or fast, no matter what OS is used to host the ATM software application being used on the machine. The problem? Often it's the client software. Who gets the blame? The Microsoft OS. From who? Microsoft haters and immature Linux zealots.

Re:WinCE when you say that (1)

Afty0r (263037) | more than 5 years ago | (#28650643)

Upgrades are supposed to improve functionality or improve performance but the text UI actually got about 2X slower to respond.

A large number of upgrades/changes in infrastructure & platform are actually driven with the primary goal of decreasing cost base.

This is especially true in a poor economy, such as right now.

Re:WinCE when you say that (2, Interesting)

jonwil (467024) | more than 5 years ago | (#28651025)

One big reason to update from OS/2 to Windows is that its a lot easier to add new functionality to the Windows version of the ATM software than it is to add new functionality to the older OS/2 ATM software.

Examples of new functionality ATM operators may want or need to add:
1.Advertising (for loans, credit cards etc) whilst the ATM talks to all the computers and you wait for your money to come out
2.Prepaid credit vouchers of various kinds (e.g. for prepaid mobile phones)
3.Changes in the law (this last one happened recently here in Australia where there is now a new rule where if you use an ATM that doesn't belong to your bank, the owner of the ATM charges you the fee and not the bank where your account is. Also, the ATM is required to display the cost of this new "direct charge")
4.Better accessibility for disabled people (e.g. deaf or blind)

Re:WinCE when you say that (1)

ArhcAngel (247594) | more than 5 years ago | (#28650291)

I agree, they should have kept using OS/2 [wikipedia.org] .

Re:WinCE when you say that (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28650327)

Think about the CHILDREN! ... and eye candy

Re:WinCE when you say that (0, Troll)

Jamie's Nightmare (1410247) | more than 5 years ago | (#28650525)

I call bullshit. We didn't even get to see the demonstration itself. It's entirely possible that the no OS could prevent the style of intrusion that was going to be demonstrated. But, you get get extra Microsoft bashing points just for pointing out the host OS used, whether or not it was part of the problem.

MS doesn't recommend WinCE either . . . (2, Informative)

PolygamousRanchKid (1290638) | more than 5 years ago | (#28650585)

. . . from TFA:

The operating system used in the affected system, Windows CE, poses hurdles to a quick fix. Microsoft recommends that Windows CE is used for "low-end cash-dispensing ATMs," while Windows XP Embedded and Windows XP Professional are used on more full-featured ATMs, according to a white paper on kiosk and ATM operating-system platforms issued by the software maker. Windows XP Embedded, the latest version of which is Windows Embedded Standard 2009, and Windows XP Professional are more secure because they are easier to update, the software giant says.

Re:MS doesn't recommend WinCE either . . . (0)

Anonymous Coward | more than 5 years ago | (#28650881)

Microsoft recommends that Windows CE is used for "low-end cash-dispensing ATMs

So, it's just the low end non-enterprisey ones that just dispense money that are vulnerable. That's alright then.

Re:WinCE when you say that (2, Funny)

Ray (88211) | more than 5 years ago | (#28650809)

Uh, no. Now WE'RE reaping the reward for their ignorance.

Release it anyway (5, Insightful)

Hatta (162192) | more than 5 years ago | (#28650183)

You don't need a conference to publicize a security problem. Post it on the internet, and the vendor will have plenty of incentive to implement a fix immediately.

Re:Release it anyway (1)

netruner (588721) | more than 5 years ago | (#28650379)

Isn't this what Wikileaks was made for?

Re:Release it anyway (1)

furby076 (1461805) | more than 5 years ago | (#28650431)

Step 1) Develop fix...duration days to months
Step 2) Test fix in test environment to make sure it doesn't cause other problems....duration days to months
Step 3) Implement fix in all ATM's....duration weeks to months

In the meantime criminals are stealing billions of dollars over the course of that time. It's easy to say "boo who sucks to be you" but allowing criminals to steal is abhorant. Even if the money stolen does not affect the consumer pocket-book in the end the cost of this will trickle down to the consumer.

Re:Release it anyway (1)

Avenger546 (69810) | more than 5 years ago | (#28650875)

Totally agreed. However, they've now had 8 months since Juniper notified them about the issue. If they aren't in step 3 right now, they totally deserve the public shaming (and loss of stock share value) they would receive.

Re:Release it anyway (4, Insightful)

AndersOSU (873247) | more than 5 years ago | (#28650913)

You don't think these ATMs will stay up if an exploit is published do you?

The sequence of events goes something like this:
Bank buys shitty ATMs
Exploits are developed
People start stealing from ATMs
Someone gives the ATM manufacturer the exploit and tells them to fix their problem
People continue to steal from ATMs
Someone (publicly) threatens to publish
ATM company says, "hold on give us a minute to fix it"
People continue stealing from ATMs

scenario A
ATM company fixes the problem
Banks and consumers never know their assets were exposed

scenario b
ATM company stalls
people continue to steal from ATMs
someone publishes
a whole lot of money is suddenly stolen in a very short time period
Banks shut down all vulnerable ATMs
Customers notice their ATMs don't work - maybe ask questions
Banks sue ATM manufacturer, become a little more careful about who they do business with in the future

Re:Release it anyway (1)

Hatta (162192) | more than 5 years ago | (#28650931)

They've had 8 months to fix their ATMs. For all we know now criminals have been stealing billions of dollars over that time. The responsible thing for this company to do is to shut down every affected ATM now until a fix is applied. They haven't done so, and clearly need a greater incentive.

Re:Release it anyway (2, Insightful)

Tony Stark (1391845) | more than 5 years ago | (#28650485)

That's right. IMHO, the reason some companies, such as in this case, suddenly decide to fix something after 8 months is because they are about to lose face. I think it must be a vulnerability that allows the hacker to obtain sensitive information about innocent people, as opposed to the company losing money directly. If the company was losing money, it would've been fixed 8 months ago. However, once it comes out that the company knew about it for 8 months and hasn't fixed it, the company will lose face and lose contracts because of that. That would explain the company's lackadaisical attitude in all of this. I miss the old days. This would've been posted on a BBS 7 months and 29 days ago.

Too much pr0n (4, Funny)

mandark1967 (630856) | more than 5 years ago | (#28650225)

Everytime I see "ATM" these days I think "Anal to Mouth".

I need to stop surfing the Diabolic site....

Re:Too much pr0n (0)

Anonymous Coward | more than 5 years ago | (#28650313)

EEeeeeewww....

Re:Too much pr0n (2, Funny)

AnalPerfume (1356177) | more than 5 years ago | (#28650593)

Actually ATM (Ass To Mouth) kinda sums up the capitalist system quite well; you have to be fucked in the ass by the corporations to earn money to put food in your mouth. Only the few at the top do the actual fucking. Perhaps naming the machine that you rely on to give you your reward for being an obedient gimp an ATM is another way of giving them a chuckle. Who cares if the ATM's are hacked? The rules they paid their politicians to introduce will ensure the little guy always pays, and the rich never use ATM's. Even when they're working fine, many ATM's charge you for access to YOUR money. You already took a shot in the ass to earn it in the first place.

In the UK. the banking industry pulled a fast one with chip & pin (something I refuse to use), is it any wonder they pull this shit?

ATMs? I know a little about that! (1)

BankofAmerica_ATM (537813) | more than 5 years ago | (#28650315)

It seems like the agents of Project Faustus are at foot. If I were that security researcher, I would look into getting some life insurance...immediately! One cannot underestimate the threat posed by Faustus.

Is this an overstated problem? (1)

tjstork (137384) | more than 5 years ago | (#28650355)

If we estimate that world wide, only 8 million dollars was stolen out of ALL of the ATMs that are out there, I would think that that's actually a success, more than a liability.

I mean, people steal more than that in cars, in what, every few hours?

Re:Is this an overstated problem? (2, Funny)

maxume (22995) | more than 5 years ago | (#28650821)

I'm pretty sure the proper /. unit for theft/time is the Madoff. Guessing that he stole about 25 billion dollars over 30 years (this is just an off the cuff estimate, the actual value of the Madoff may vary), 9 million dollars per month (I think that's what the summary says) is a rate of about 0.13 Madoffs.

No surprise here... (2, Interesting)

Svartalf (2997) | more than 5 years ago | (#28650403)

It is quite unsurprising, really. We see the same thing going on in the SCADA security space. The book, Hacking Scada: Industrial Network Security From the Mind of the Attacker [hackingscada.com] , has been held up for at least a year past it's original planned publication date for similar thinking.

Windows on ATMs? (0)

Anonymous Coward | more than 5 years ago | (#28650405)

What? They put Windows on ATMs? ...and they're still surprised people are hacking them?

vote of confidence? (2, Funny)

moskrin (53287) | more than 5 years ago | (#28650457)

so diebold's ATMs are as good as their voting machines!

Whenever I hear about ATM hacking.... (2, Funny)

Bicx (1042846) | more than 5 years ago | (#28650475)

... I know in my heart that John Conner is to blame. Or at least his mom, for teaching him how to hack ATMs. What I don't understand is this: why did John Conner only withdraw 3 dollars?

Security holes need to be public (1)

192939495969798999 (58312) | more than 5 years ago | (#28650535)

Hiding security holes doesn't mean they aren't there. Everyone knows that a bank has a fairly obvious security hole - most people would rather hand the money over vs. getting shot, so bank robbers tend to burst in guns blazing and then make off with tons of cash. Since that's public knowledge, it's easier to defend against such tactics. Hiding that would make both the bank and its customers more susceptible to gun-toting robber attacks, since they would be unprepared for the unknown.

Another odd device running Windows CE (2, Insightful)

RyoShin (610051) | more than 5 years ago | (#28650537)

It's unfortunately not too odd to hear that ATMs run Windows (especially with some of the error messages I've seen). But there are even odder devices running Windows.

I work at a somewhat-hated international retailing chain that will go unnamed, and while working there the other night my merchandise scanner, one of the portable hand-held ones used on the floor, froze. Not uncommon, but when I reset it it booted into Windows CE. A normal windows desktop. I tried starting Windows Media Player, but it wouldn't do anything. The funny thing is that when it works properly, it uses minimal ASCII art and no graphics at all.

Why these kind of things need to use Windows is beyond me. Windows, security issues aside, is alright for general purpose machines, but not highly-specialized machines like a scanner or ATM.

Re:Another odd device running Windows CE (3, Insightful)

TheRealMindChild (743925) | more than 5 years ago | (#28650953)

Why these kind of things need to use Windows is beyond me. Windows, security issues aside, is alright for general purpose machines, but not highly-specialized machines like a scanner or ATM.

Sir, you are confusing Desktop Windows with Embedded Windows. While the source base is starting to be shared, their targets and goals are substantially different. Windows CE IS meant to be highly-specialized for highly-specialized machines. You don't even have to build in graphical output. I've seen usable CE images take up ~2MB of memory total.

Re:Another odd device running Windows CE (1)

RyoShin (610051) | more than 5 years ago | (#28651107)

Thanks for the info. I thought Windows CE was something like a streamlined Windows Mobile OS. :)

Never fear, BH presentation likely (5, Interesting)

2gravey (959785) | more than 5 years ago | (#28650623)

For those of you who aren't aware, the Black Hat tradition for vulnerability presentations which have been similarly blocked due to court orders, etc. is to offer BH a replacement safe/bland presentation and then deliver the banned exploit demonstration regardless. This action typically results in a large lawsuit against the researcher's employer, subsequent termination of the researcher, and a short-lived rock star notoriety for the researcher making the afore mentioned termination totally worth it.

Re:Never fear, BH presentation likely (1)

CannonballHead (842625) | more than 5 years ago | (#28651289)

Termination of the researcher? That sounds kinda violent.

Not forced! (5, Informative)

Sockatume (732728) | more than 5 years ago | (#28650721)

The article is transparent in saying that he chose to cancel his own presentation on his own volition, because it hadn't been fixed yet.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>